BKAUINSS.RVW 20060706 "Auditing Information Systems", Jack J. Champlain, 2003, 0-471-28117-4, U$92.00/C$119.99 %A Jack J. Champlain %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-471-28117-4 %I John Wiley & Sons, Inc. %O U$92.00/C$119.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471281174/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471281174/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471281174/robsladesin03-20 %O Audience i- Tech 1 Writing 2 (see revfaq.htm for explanation) %P 430 p. %T "Auditing Information Systems, second edition" The preface states that the audience is intended to be general (non- specialist) managers, auditing students, and new auditors, but that all readers are assumed to be familiar with some fairly specialized audit concepts. Part one is for core concepts, more related to computing than auditing. Chapter one outlines the basic components of computers, but tersely, and dealing with specific items rather than ideas. There is an odd digression into computer viruses when discussing memory, and a brief mention of physical and logical controls. "Identifying Computer Systems," in chapter two, mostly suggests having an inventory, with a brief mention of risk assessment. Part two covers the standard information system audit approach. Chapter three explains that an information system audit programme is basically a checklist. Definitions of policies and standards (and a weak interpretation of guidelines) are in chapter four. Various country standards for audits (concentrating on what types of opinions outside auditors can express) and some private certification organizations are summarized in chapter five. Chapter six is about assessing vendors on the basis of audits that have been done on them, and most of the content repeats, in slightly different wording, the concepts from chapters four and five. Physical security is presented, with some rather large gaps (there is no mention of facilities construction issues), in chapter seven. (Somewhat oddly, backups and business continuity planning are included here.) Logical security, in chapter eight, is limited to aspects of access control and operations, and is padded out with lots of anecdotes under the heading of "case studies." Chapter nine's review of information systems operations is circumscribed and random, and has additional stories. Champlain seems to think that the topics in part three are contemporary, or possibly advanced, auditing concepts. Chapter ten explains that Control Self-Assessment (CSA) is the idea of having auditors talk to the people who actually do the work in order to find out what controls might be necessary (what a novel idea!), and devotes a great deal of space to describing the various control frameworks, such as COSO (report of the Committee of Sponsoring Organizations of the Treadway commission) and CObIT (Control Objectives for Information Technology). There is lots of trivia, but little useful information, about encryption and cryptography in chapter eleven. Computer forensics gets slightly better treatment in chapter twelve, but is restricted to disk recovery and investigation management. Chapter thirteen contains miscellaneous topics like computer-aided auditing tools, and computer viruses, but most of the text concentrates on the Internet (which section includes, for some reason, a large discussion of privacy issues). (Despite the fact that the piece on viruses holds very little real information, it manages to make a surprising number of errors, including an astounding retailing of the "Desert Storm" virus myth that seems to have become inverted.) Chapter fourteen seems to be advice on career issues for auditors. A fairly banal review of project (particularly development project) management methods makes up the examination of information systems project auditing, in chapter fifteen. Chapter sixteen is a collection of random thoughts on a variety of risks. There is a lot of space devoted to "case studies" in the book. These anecdotes are often odd, and the relevance to the surrounding text is difficult to determine. Similarly, exhibits and tables are not always illustrative of the subjects under discussion. Sometimes these "supporting" materials are the opposite of exemplar: at one point a "sample" policy is reprinted, but then later content points out a number of problems with it. Security professionals are all too used to seeing auditors as the "enemy": ignorant management weenies and accounting dweebs with little or no understanding of the technology or information system operations. This perception is unfortunate, since the reality is that nobody can realistically and objectively assess their own work, and the viewpoint from another perspective is exceedingly valuable for finding potential problems before they find you. It's too bad that a promising activity gets a work like this, which is going to reinforce the negative prejudice. copyright Robert M. Slade, 2006 BKAUINSS.RVW 20060706